Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Best Practices: NSRP and Track-IP

0

0

Article ID: KB9309 KB Last Updated: 27 Dec 2017Version: 7.0
Summary:
Track-IP can be used to monitor Layer-3 connectivity in a NSRP environment. When used in conjunction with NSRP interface monitoring, you can obtain much more reliable and robust NSRP failover.

Essentially, track-IP functions by sending ICMP (or ARP) heartbeats to one or more configurable hosts. If a (configurable) threshold of consecutive heartbeats is lost, the host is deemed as down and the NSRP failover event is triggered.
Symptoms:
NSRP Track-IP proves to be absolutely vital to achieving a successful failover event, when the primary Juniper firewall stops passing traffic; but the monitored interfaces remain up.
Solution:

You must allot a certain amount of time for planning and testing to create a Track-IP configuration that minimizes both false-positives (failover events when the network is not down) and false-negatives (absence of failover events when the network is down). You have to determine one or more hosts that can reliably respond to ICMP/ARP traffic (an example would be the firewall’s next-hop gateway IP). For situations that require multiple Track-IP hosts, you may have to adjust the weight values to ensure failover occurs, when required.

The following track-IP configuration examples are for monitoring one and two hosts:

 

Example 1 - NSRP track-ip config commands for monitoring one Reliable Host:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 192.168.1.100 interval 3

5 consecutive packets without a response will trigger failover

set nsrp monitor track-ip ip 192.168.1.100 threshold 5

 The interface these packets will be sourced from

set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1/1

The weight of this particular track-ip failure (only this IP must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 192.168.1.100 weight 255

Example 2 - NSRP track-ip config commands for monitoring two Hosts & trigger failover only when both are unreachable:

Note: In this example, when both hosts are unreachable, a firewall failover will be triggered.

Commands to monitor Host1:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 192.168.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 192.168.1.100 threshold 5

The interface, from which these packets are sourced, is:

set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1/1

The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 192.168.1.100 weight 128

Commands to monitor Host2:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 10.10.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 10.10.1.100 threshold 5

The interface, from which these packets are sourced, is:

set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2/1

The weight of this particular track-ip failure (both IPs must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 10.10.1.100 weight 128

Example 3 - NSRP track-ip config commands for monitoring two Reliable Hosts:

Note: In this example,  when only one Host is unreachable, a firewall failover will be triggered.

Commands to monitor Host1:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 192.168.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 192.168.1.100 threshold 5

The interface, from which these packets are sourced, is:

set nsrp monitor track-ip ip 192.168.1.100 interface ethernet1/1

The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 192.168.1.100 weight 255

Commands to monitor Host2:

Send ICMP packet every 3 seconds:

set nsrp monitor track-ip ip 10.10.1.100 interval 3

5 consecutive packets, without a response, will trigger failover:

set nsrp monitor track-ip ip 10.10.1.100 threshold 5

The interface, on which these packets are sourced, is:

set nsrp monitor track-ip ip 10.10.1.100 interface ethernet2/1

The weight of this particular track-ip failure (only one IP must be unreachable to trigger the failover event) is:

set nsrp monitor track-ip ip 10.10.1.100 weight 255

A more detailed analysis can be found in Volume 11 of the Concepts and Examples ScreenOS Reference Guides:


For configuration examples of NSRP track-ip and troubleshooting steps/commands, refer to KB11357 - [ScreenOS] NSRP Monitor Track IP Configuration Examples.

If it is configure, but not working, refer to KB9814 - Troubleshooting an NSRP Active/Passive device that is not failing over, which is part of the NSRP Troubleshooting Guide

Note: A 'manage IP' address must be configured on the interfaces that are used to contact the Track-IP hosts. For more information, refer to KB4059 - Configuring a manage-IP address on Juniper firewall.
Modification History:
2017-12-27: Article reviewed for accuracy. Edited examples 1,2 & 3. Removed links for 5.4.0 release & added for 6.3.0 release. Article is correct and complete. 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search